In follow-up of yesterday's post on function creep, there are of course a lot more arguments against government-created central databases of personal data - or indeed of any kind. A number of them are IT-related, as governments seem to dangerously misjudge the nature of digital information.
Whether this is naivety (after all, current politicians may just be of a generation that is too old to grasp such issues) or hubris, it's hard to say. But in the Netherlands at least, we keep seeing old-paradigm thinking - a belief in centralized and Kafkaesque bureaucracies - applied to new-paradigm tools that favor decentralised, transparent solutions.
At least three fallacies plague the rethoric around government IT projects:
- Feasability: As Raphaël points out, "we're pouring hundreds of millions of euros of public money in IT projects that are risky and shaky in so many ways, it'd be a miracle if they were successful, purely from a technical and project management standpoint." However, with such enormous projects tendered to large IT firms, it would also be a miracle if they'd advise against it.
- Security: Every government IT project comes with endless guarantees of data security, but the list of embarrassing failures is just as long. The rule of thumb here, as the entertainment industry has learned the hard way, is: "Every time a 40-year-old creates a security system, a 14-year-old thinks of a way around it." Obviously, this is a battle you can't win.
- Accuracy: There is an almost superstitious belief in the accuracy of information on screens. But however digital the database, filling it is still the work of humans - whether by typing, scanning or fingerprinting - and thus prone to mistakes. And the more information you gather in one place, the more mistakes it will contain.
Note that this doesn't even include the question of how effective such databases could be in their stated purpose (catching terrorists, improving health, etc.). This has never been even sketchily proven either way.
But combine the above in actual policies and it conjures up bizarre situations where half-functioning databases determine that some random 4-year-old must be refused on a flight because he's on a suspected terrorist list. Even worse, there appears to be no way to remove the kid from the list...
Update: This article in Trouw (in Dutch) by a number of ICT law professors, eloquently substantiates my rant. For instance, they state (loosely translated) that "not a single organization has proven capable to safeguard data adequately for long periods of time."